hijack

Discussion in 'adware, spyware & hijack cleaning' started by madsgyver, May 25, 2004.

Thread Status:
Not open for further replies.
  1. madsgyver

    madsgyver Registered Member

    Joined:
    May 25, 2004
    Posts:
    2
    i have a problem with http://th.msie.cc/index.php?aid=551 hijacking my startpage. can anybody help me? here is the hijack this log:

    Logfile of HijackThis v1.97.7
    Scan saved at 21:44:06, on 25.05.2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
    C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Programfiler\Norton AntiVirus\navapsvc.exe
    C:\Programfiler\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Programfiler\Winamp3\winampa.exe
    C:\WINDOWS\winupdate4.exe
    C:\WINDOWS\SYSTEM32\P2P NETWORKING\P2P NETWORKING.EXE
    C:\Programfiler\QuickTime\qttask.exe
    C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
    C:\Programfiler\Telenor Plus\Forbruksmåler\Forbruksmåler.exe
    C:\Programfiler\Kazaa Lite\kazaalite.kpp
    C:\Programfiler\MSN Messenger\MsnMsgr.Exe
    C:\Programfiler\Microangelo\muamgr.exe
    C:\WINDOWS\System32\WScript.exe
    C:\PROGRA~2\ONLINE~1\ADSL\ADSL.exe
    C:\Programfiler\Messenger\msmsgs.exe
    C:\Programfiler\Internet Explorer\iexplore.exe
    D:\Mine dokumenter\progz\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://hstpam.t.muxa.cc/s.php?aid=551 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://hstpam.t.muxa.cc/s.php?aid=551 (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hstpam.t.muxa.cc/h.php?aid=551 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://hstpam.t.muxa.cc/s.php?aid=551 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hstpam.t.muxa.cc/h.php?aid=551 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://hstpam.t.muxa.cc/s.php?aid=551 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://hstpam.t.muxa.cc/s.php?aid=551 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://hstpam.t.muxa.cc/s.php?aid=551 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fra Online ADSL
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://hstpam.t.muxa.cc/h.php?aid=551 (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] C:\Programfiler\Creative\SBLive\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [CTStartup] C:\Programfiler\Creative\Splash Screen\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [WinampAgent] "C:\Programfiler\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [WinUpdate] C:\WINDOWS\winupdate4.exe
    O4 - HKLM\..\Run: [sys] regedit -s sys.reg
    O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM32\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
    O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [KAZAA] "C:\Programfiler\Kazaa Lite\kpp.exe" "C:\Programfiler\Kazaa Lite\kazaalite.kpp" /SYSTRAY
    O4 - HKLM\..\Run: [start_forbruksmåler] C:\Programfiler\Telenor Plus\Forbruksmåler\Forbruksmåler.exe C:\Programfiler\Telenor Plus\Forbruksmåler
    O4 - HKLM\..\RunServices: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
    O4 - Startup: online ADSL.lnk = ?
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: Microangelo Desktop.lnk = C:\Programfiler\Microangelo\muamgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Search.vbs
    O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~2\MICROS~4\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.online.no/
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37905.3046064815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E6B3E772-F23F-4DD6-BC4C-594EB3C96CEF}: NameServer = 130.67.15.198 130.67.60.68

    thanks!!!
     
  2. dave38

    dave38 Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    377
    To start cleaning up your computer, please download CWShredder
    This was written to deal with Coolweb and all its variants.

    Download and run the program. Let it fix everything it finds, and reboot.

    Run Hijack this again, and post a fresh log so we can deal with whatever is left.
     
  3. madsgyver

    madsgyver Registered Member

    Joined:
    May 25, 2004
    Posts:
    2
    thanks a lot for the help.
    here is the new log

    Logfile of HijackThis v1.97.7
    Scan saved at 16:54:44, on 30.05.2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
    C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Programfiler\Norton AntiVirus\navapsvc.exe
    C:\Programfiler\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Programfiler\Winamp3\winampa.exe
    C:\WINDOWS\winupdate4.exe
    C:\WINDOWS\SYSTEM32\P2P NETWORKING\P2P NETWORKING.EXE
    C:\Programfiler\QuickTime\qttask.exe
    C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
    C:\Programfiler\Telenor Plus\Forbruksmåler\Forbruksmåler.exe
    C:\Programfiler\MSN Messenger\MsnMsgr.Exe
    C:\Programfiler\Kazaa Lite\kazaalite.kpp
    C:\Programfiler\Skype\Phone\Skype.exe
    C:\Programfiler\Microangelo\muamgr.exe
    C:\PROGRA~2\ONLINE~1\ADSL\ADSL.exe
    C:\Programfiler\Messenger\msmsgs.exe
    d:\Mine dokumenter\Mine mottatte filer\Lame\EAC.exe
    C:\Programfiler\Outlook Express\msimn.exe
    C:\Programfiler\Internet Explorer\iexplore.exe
    d:\Mine dokumenter\progz\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fra Online ADSL
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] C:\Programfiler\Creative\SBLive\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [CTStartup] C:\Programfiler\Creative\Splash Screen\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [WinampAgent] "C:\Programfiler\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [WinUpdate] C:\WINDOWS\winupdate4.exe
    O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM32\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [KAZAA] "C:\Programfiler\Kazaa Lite\kpp.exe" "C:\Programfiler\Kazaa Lite\kazaalite.kpp" /SYSTRAY
    O4 - HKLM\..\Run: [start_forbruksmåler] C:\Programfiler\Telenor Plus\Forbruksmåler\Forbruksmåler.exe C:\Programfiler\Telenor Plus\Forbruksmåler
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - Startup: online ADSL.lnk = ?
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: Microangelo Desktop.lnk = C:\Programfiler\Microangelo\muamgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~2\MICROS~4\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.online.no/
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37905.3046064815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E6B3E772-F23F-4DD6-BC4C-594EB3C96CEF}: NameServer = 130.67.15.198 130.67.60.68

    all seems to be okey
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi madsgyver,

    There is one entry in your log i don't trust.
    Could you send me a copy of:
    C:\WINDOWS\winupdate4.exe
    Use the address in my profile please.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

    O4 - HKLM\..\Run: [WinUpdate] C:\WINDOWS\winupdate4.exe
    O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM32\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART

    O4 - HKLM\..\Run: [KAZAA] "C:\Programfiler\Kazaa Lite\kpp.exe" "C:\Programfiler\Kazaa Lite\kazaalite.kpp" /SYSTRAY

    Then reboot and uninstall P2P Networking in Add/Remove Software.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.